Web beacon

A web beacon is any of several techniques used to track who is visiting a web page. They can also be used to see if an email was read or forwarded or if a web page was copied to another website. The first web beacons were small digital image files that were embedded in a web page or email. The image could be as small as a single pixel (a "tracking pixel") and could have the same colour as the background, or be completely transparent. When a user opens the page or email where such an image is embedded, they might not see the image, but their web browser or email reader automatically downloads the image, requiring the user's computer to send a request to the host company's server, where the source image is stored. This request provides identifying information about the computer, allowing the host to keep track of the user. This basic technique has been developed further so that many types of elements can be used as beacons. Currently, these can include visible elements such as graphics, banners, or buttons, but also non-pictorial HTML elements such as the frame, style, script, input link, embed, object, etc., of an email or web page. The identifying information provided by the user's computer typically includes its IP address, the time the request was made, the type of web browser or email reader that made the request, and the existence of cookies previously sent by the host server. The host server can store all of this information, and associate it with a session identifier or tracking token that uniquely marks the interaction. Use by companies Once a company can identify a particular user, the company can then track that user's behavior across multiple interactions with different websites or web servers. As an example, consider a company that owns a network of websites. This company could store all of its images on one particular server, but store the other contents of its web pages on a variety of other servers. For instance, each server could be specific to a given website, and could even be located in a different city. But the company could use web beacons requesting data from its one image server to count and recognize individual users who visit different websites. Rather than gathering statistics and managing cookies for each server independently, the company can analyze all this data together, and track the behavior of individual users across all the different websites, assembling a profile of each user as they navigate through these different environments. == Email tracking ==

Web beacons embedded in emails have greater privacy implications than beacons embedded in web pages. Through the use of an embedded beacon, the sender of an email – or even a third party – can record the same sort of information as an advertiser on a website, namely the time that the email was read, the IP address of the computer that was used to read the email (or the IP address of the proxy server that the reader went through), the type of software used to read the email, and the existence of any cookies previously sent. In this way, the sender – or a third party – can gather detailed information about when and where each particular recipient reads their email. Every subsequent time the email message is displayed, the same information can be sent again to the sender or third party. "Return-receipt-to" (RRT) email headers can also trigger sending of information and these may be seen as another form of a web beacon. Web beacons are used by email marketers, spammers, and phishers to verify that an email is read. Using this system, they can send similar emails to a large number of addresses and then check which ones are valid. Valid in this case means that the address is actually in use, that the email has made it past spam filters, and that the content of the email is actually viewed. To some extent, this kind of email tracking can be prevented by configuring the email reader software to avoid accessing remote images. One way to neutralize such email tracking is to disconnect from the Internet after downloading email but before reading the downloaded messages. (Note that this assumes one is using an email reader that resides on one's own computer and downloads the emails from the email server to one's own computer.) In that case, messages containing beacons will not be able to trigger requests to the beacons' host servers, and the tracking will be prevented. But one would then have to delete any messages suspected of containing beacons or risk having the beacons activate again once the computer is reconnected to the Internet. Web beacons can also be filtered out at the server level so that they never reach the end-user. == Beacon API ==

The Beacon API (application programming interface) is a candidate recommendation of the World Wide Web Consortium, the standards organization for the web. It is a standardized API that directs the web client to silently send tracking data back to the server, i.e. without alerting the user and thus disturbing their experience. Use of this Beacon API enables user tracking and profiling without the end-user's awareness, as it is invisible to them, and without delaying or otherwise interfering with navigation within or away from the site. Support for the Beacon API was introduced into Mozilla's Firefox browser in February 2014 and in Google's Chrome browser in November 2014. == Spy pixels ==

Spy pixels or tracker pixels are hyperlinks to remote image files in HTML email messages that have the effect of spying on the person reading the email if the image is downloaded. They are commonly embedded in the HTML of an email as small, imperceptible, transparent graphic files. Spy pixels are commonly used in marketing, and there are several countermeasures in place that aim to block email tracking pixels. However, there are few regulations in place that effectively guard against email tracking approaches. History Networked email was pioneered in 1971 by Ray Tomlinson and has made it much more convenient to send and receive messages as opposed to traditional postal mail. In 2020, there were 4 billion email users worldwide and approximately 306 billion emails sent and received daily. The email sender, however, still has to wait for a reply email from the recipient in order to confirm that their message was delivered. There are some situations where the recipient doesn't respond to the sender even when they have read the email, which is why the email tracking method emerged. Most email services do not provide indicators as to whether an email was read, so third-party applications and plug-ins have provided the convenience of email tracking. The most common method is the email tracking beacon or spy pixel. The tracking process begins when a sender inserts an image tag, represented as , into an HTML-based email. The image tag is linked to a tracking object stored on the server of the sender through a reference Uniform Resource Locator (URL). Once the mail client is opened, the recipient receives the email through a process whereby the mail user agent (MUA) synchronizes updates from the recipient's message transfer agent (MTA) with the local mail repository. When the recipient opens the email, the mail client requests the file that is referenced by the image tag. As a result, the web server where the file is stored logs the request and returns the image to the recipient. In order to track individual behavior, the tracking object or reference URL has to contain a tag that is unique to each email recipient. Oftentimes, the hash of the recipient's email is used. In contrast, IP address and device information collected from non-tracking images does not reveal specific users' email addresses. When a single email is sent to multiple recipients, the tracking report will normally show the number of emails that have been opened but not the specific recipients who have done so. Although this may be more challenging with web tracking, more advanced web trackers have data collection features, like the Meta Pixel's advanced matching feature, that allows people to be identified by submitting an email address or other PII on a form page. Usage Personal use Individuals and business owners may want to use email tracking for a variety of reasons, such as lead generation, event invitations, promotions, newsletters, one-click polls, and teacher-parent communications. They can use services like Yet Another Mail Merge (YAMM), a Google Sheets add-on, to create and send personalized mail merge campaigns from Gmail. The sender has the option to enable the tracker and see email open rates, clicks, replies, and bounces. According to YAMM's website: "YAMM embeds a tiny, invisible tracking image (a single-pixel gif, sometimes called a web beacon) within the content of each message. When the recipient opens the message, the tracking image is scanned, referenced and recorded in our system." Marketing Tracking the behavior of users through mediums like email newsletters and other forms of marketing communication is a competitive advantage in online marketing. In fact, it is so valuable that there are companies that sell online user data or offer email tracking as a service, such as Bananatag, Mailtrack.io, and Yet Another Mail Merge. Using data to map out the competitive landscape can also help companies derive a competitive strategy and gain a competitive advantage. However, adverse effects from behavioral marketing can include discrimination, including price discrimination. Malicious emails Some emails contain malicious content or attachments, and email tracking is used to detect how fast these viruses or malicious programs can spread. Spying effect The spying effect is that, without the email recipient choosing to do so, the result of the automatic download is to report to the sender of the email: if and when an email is read, when (and how many times) it is read, the IP address and other identity details of the computer or smartphone used to read the email, and from the latter, the geographical location of the recipient. This information provides insights into users' email reading behaviors, office and travel times, as well as details about their environment. For example, a board member of a major technology company was caught forwarding confidential information when an email log entry, IP address, and location information were examined simultaneously. Additionally, if spammers send emails to random email addresses, they can identify active accounts in this manner. Furthermore, third-party trackers can be considered as “adversaries” to Internet users because the use of HTTP cookies, Flash cookies, and DOM storage breaks data confidentiality between the users and the websites they interact with. Overall, researchers at Carnegie Mellon University and Qualcomm found that many users don't see tracking as black and white. Many want control over tracking and think that it has its benefits, but don't know how to control tracking or distrust current tools. Out of 35 participants in the study, fourteen saw tracking as conditionally positive, eight saw it as generally neutral, nine saw it as generally negative, and the remaining four had mixed feelings. Twelve participants felt resigned to tracking. Countermeasures Countermeasures include using a plain text email client, disabling automatic download of images, or, if reading email using a browser, installing an add-on or browser extension. The process of email-tracking does not require cookies, which makes it difficult to block without affecting user experience. For example, disabling automatic download of images is easy to implement; however, the trade-off is that it often results in a loss of information, incorrect formatting, a decline in user experience, and incomprehension or confusion. Recent research has focused on using machine learning to develop anti-tracking software for end-users. Privacy tools can have usability flaws which makes it difficult for users to make informed and meaningful decisions. For example, participants in a study thought that they had installed configured a tool successfully when they had not. Additionally, the rise of ad-blockers and similar privacy tools have led to the emergence of anti ad-blockers, which seek out ad-blockers and try to disable them with various methods, in an escalating ad-blocker arms race. == Notes ==